Example: Configuring an F5 load balancer
With the F5 load balancer, network traffic is decrypted to the backend pool, resulting in an improved performance. If you are using an F5 load balancer, configure it before you deploy BMC Helix Operations Management.
Before you configure an F5 load balancer, make sure of the following:
- The following URLs point to the load balancer:
- Tenant URL
- LB_HOST
- TMS_LB_HOST
- MINIO_LB_HOST
The load balancer is configured with the following headers:
X-Forwarded-Host , X-Forwarded-proto , X-Forwarded-port
HTTP::header insert X-Forwarded-Host [HTTP::host]
HTTP::header insert X-Forwarded-Proto "https"
HTTP::header insert X-Forwarded-Port "443"
configmap for ingress also needs: use-forwarded-headers: "true"
use-proxy-protocol: "true"
For more information, see Load-balancer-requirements
To configure an F5 load balancer, perform the following steps:
- Import or create the SSL certificate.
- Create an SSL profile in F5.
- Create the pool.
- Create iRules.
- Configure the virtual server.
1. To create or import a certificate/key pair
If you are configuring SSL Offloading or re-encryption, you must import a certificate in F5 as a .pem file. You can also import the certificate/key pair from .p12 files. Click the Import button in the F5 user interface to import a certificate.
You can also create a certificate by clicking the Create button.
After you import or create the certificate, it is available in F5 as shown in the following image:
2. To create an SSL profile in F5
- In the F5 user interface, go to the Local Traffic > Profiles: SSL : Client > New Client SSL Profile page.
- In the Certificate key chain field, select the check box and then click Add.
- In the Add SSL Certificate to Key Chain dialog box, add the required details:
- Select the certificate and key.
- If the certificate is not part of the same chain, select a chain.
- If the certificate has a passphrase, enter the passphrase.
3. To create a pool
- In the F5 user interface, go to the Local Traffic > Pools: Pool List > New Pool page.
- Click Create.
- In the Health Monitors field, select http or https from the Active box and move it to the Available box.
- Under Resources, in the New Members field, do the following:
- Add the node name. This is not mandatory. However, we recommend adding it so that you can easily recognize a resource from a list.
- Add the static IP address.
Add the service port and select the http or https option based on the SSL option you are using.
- Click Add to add a node.
- Repeat this process for each node that you want to add.
You can view the list of all the pools on the Local Traffic > Pools: Pool List page.
You can create multiple pools with http or https that can exist with the same nodes.
4. To create an iRule
iRules are one of the methods to set the required headers. You can create iRules to inject X-Forwarded when you use SSL offloading or re-encryption options. The following X-Forwarded headers are required:
- X-Forwarded-Host
- X-Forwarded-Proto
- X-Forwarded-Port
Example iRule
The following image displays one of the ways in which you can configure an iRule to set the required headers:
5. To configure the virtual servers
You can configure virtual servers with the following options:
- SSL offloading
- Full SSL proxy or re-encryption
- Passthrough
For this document, we will configure the virtual servers with the SSL Offloading option.
To configure a virtual server with the SSL offloading option:
- In the F5 user interface, go to the Local Traffic > Virtual Servers > Virtual Server List page.
Configure the values for the virtual server.
The following table describes the required configurations for BMC Helix IT Operations Management:- Click Finished to configure the virtual server.